On Wed, 02 Feb 2005 18:12:50 +0100, =?ISO-8859-1?Q?Stian_=D8vrev=E5ge?= said: > Don't you think it's a little strange if packets with source address > 88.88.88.88 was leaving your 10.0.0.0 network? Or packets from > 10.0.0.33 was comming in on the WAN interface? > > Also, packet filtering is based on router configuration. More and more > administrators are filtering packets with unexpected source and/or > destination addresses ( ingress and egress filtering ). The number of sites doing proper filtering may be growing, but it's certainly still low enough that the attack still has a fairly high chance of working. Also, there's another benefit to the attack - if the site isn't clued enough to do basic bogon filtering, it's even *more* likely to throw any investigation off in the wrong direction. You're also missing another point - an inbound packet from 10/8 would certainly look fishy. But would you question a packet that came in from 64.236/16 or 64.12/16 or anywhere in akadns.net's address space? (cnn.com lives in the first, AOL's mail servers in the second, and google is an akadns beast...)
Attachment:
pgp00011.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html